- Emergency Consultation Services
- Risk Management Services
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
By: Amy Bender
The Georgia Supreme Court soon will weigh in on the ongoing debate within the courts of when individuals may bring claims based on data breaches involving their personal information when they have not suffered any actual financial harm.
In what is now, however unfortunate, a familiar story, the plaintiffs in Collins et al. v. Athens Orthopedic Clinic, P.A. were patients at a medical clinic that experienced a ransomware attack that provided the hacker access to their personal information stored on the clinic’s computer database, such as their Social Security number, date of birth, and medical history. The hacker then posted the information on the Dark Web and another website. The clinic did not provide credit monitoring, identity theft protection, or other remedies to its victim patients, which the patients then had to purchase themselves. One of the plaintiffs also experienced fraudulent credit card charges, although she actually did not allege those changes were the result of the clinic’s data breach.
Instead of claiming any violation of a data breach statute, the plaintiffs brought claims under Georgia state law for negligence, breach of contract, unjust enrichment, declaratory judgment, Georgia Uniform Deceptive Trade Practices Act, and attorney’s fees. The trial court dismissed the claims before trial, and the Georgia Court of Appeals agreed, finding measures such as credit monitoring and identity theft protection and their associated costs, which are designed to prevent exposure to future, speculative harm, were not sufficient proof of the damages required to establish any of their claims.
The Georgia Supreme Court agreed to review the case and recently heard oral argument. A decision is expected within the next few months. At oral argument, some of the justices seemed skeptical of the lower courts’ rulings and the argument that the plaintiffs needed to wait until they had been victimized by identity fraud before they could file suit. However, no ruling has been made yet.
Courts around the country have taken differing views on whether the mere exposure of personal information, without more, is enough to be considered “damages” or if the plaintiff must prove additional financial harm. (See our related blog posts here, here, and here.) The upcoming Georgia Supreme Court decision hopefully will shed light on this issue and serve as a helpful guide for both organizations and individuals, at least within the State of Georgia.
Another takeaway from this case is that it usually is prudent for an organization that has experienced a data breach exposing personal information of its patients or clientele to bear the cost of credit monitoring and identity theft services, in addition to implementing strong data security measures that may prevent such an attack from occurring in the first place. Indeed, although not mandatory in Georgia and most other states, a handful of other states do require that these services be offered to affected individuals at no cost when they are notified of a data breach. Although these costs can be high, they can be covered by the organization’s cyber liability insurance policy and likely pale in comparison to the time and money the organization may spend defending a lawsuit arising out of the breach.
For more information or for assistance with data security or response measures, contact FMG’s Data Security, Privacy & Technology team.